Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Desktop gone when re-booting

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby VopThis » December 2nd, 2005, 11:24 am

Here's hoping that the SpySweeper tool got the main malware reinfection mechanisms.




Try running the following tools:


Bit Defender:
http://www.bitdefender.com/scan/licence.php
Turn off any Popup Blockers before accessing the site.
Save the log and post it here. Let it clean/cure/delete all it finds.

You might have to hit refresh if it reports a failed download.




Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      - Extended (if available otherwise Standard)
    • Scan Options:
      - Scan Archives
      - Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.



Delete any items found by Kaspersky in SAFE MODE.
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada
Advertisement
Register to Remove

Unread postby maryd3954 » December 8th, 2005, 11:28 pm

HI,
First of all, I forgot last time I wrote to tell you about where I found "find.exe". It was in 4 places:
C:\I386
C:\Windows\System32
C:\MentorGraphics\Nutc\mksnt
C:\Windows\System32\DLLCACHE


Here is the report from Bitdefender:
BitDefender Online Scanner



Scan report generated at: Wed, Dec 07, 2005 - 23:32:26





Scan path: A:\;C:\;D:\;E:\;

Statistics

Time
01:30:30

Files
705004

Folders
10590

Boot Sectors
3

Archives
27012

Packed Files
64899




Results

Identified Viruses
2

Infected Files
2

Suspect Files
1

Warnings
0

Disinfected
0

Deleted Files
3




Engines Info

Virus Definitions
242072

Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)

Scan plugins
13

Archive plugins
39

Unpack plugins
4

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Delete

Second Action
None

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
No




Scanned File
Status

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP584\A0152538.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 2)=>(ZIP Sfx s)=>cd_htm.dll
Detected with: Adware.CyDoor

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP584\A0152538.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 2)=>(ZIP Sfx s)=>cd_htm.dll
Deleted

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP584\A0152538.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 2)=>(ZIP Sfx s)
Updated

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP584\A0152538.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 2)
Update failed

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP584\A0152538.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 209)
Infected with: Trojan.Downloader.3346.A

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP584\A0152538.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 209)
Deleted

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP584\A0152538.exe=>(CAB Sfx o)=>\Disk1\data2.cab
Update failed

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP602\A0182068.exe=>(NSIS o)=>zlib_nsis0001
Suspected of: BehavesLike:Trojan.Downloader

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP602\A0182068.exe=>(NSIS o)=>zlib_nsis0001
Deleted

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP602\A0182068.exe=>(NSIS o)
Update failed



Here is what happened with Kaspersky:

When I went to the website, I checked to do the on-line scan, but when it told me I had to install an active-x thing, I clicked on the icon to install and it brought me to a marketing window with nothing about the install. I never got it to work. I even tried again a few more times, ignoring the active-x beep, but it never finishes downloading.
maryd3954
Active Member
 
Posts: 9
Joined: November 6th, 2005, 5:14 pm
Location: Boulder Creek, Ca

Unread postby VopThis » December 9th, 2005, 9:07 am

Did you reboot after Bitdefender and before Kaspersky?

What are your current issues, if any?

Post a revised HJT log please.



Entries such as C:\System Volume Information\_restore ....
are 'Restore Point' entries (see below).


To help avoid serious infection again, please look carefully at this post for some excellent preventative measures. Prevention must be made the first line of defense to improve upon.


As a final cleanup step, it is often advisable to Reset and Re-enable your System Restore to remove any bad files that may have been backed up by Windows . The files in System Restore are protected to prevent any programs changing them. And, this is the only complete way to clean these files: (You will lose all previous restore points which could likely be infected, anyway.)

PLEASE NOTE: you will need to log into your computer with an account that has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
To Turn OFF System Restore.
  1. Click the Start button.
  2. Right-click My Computer, and then click Properties.
  3. On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.
  4. Click Apply.

To Turn ON System Restore.
  1. Follow the steps in the previous section, but in step 3, uncheck Turn off System Restore or Turn off System Restore on all drives. Then click OK.
  2. Create new System Restore points.


(Windows ME)
See the following link for instructions:
http://service1.symantec.com/SUPPORT/ts ... ec_doc_nam




To reduce the re-infection potential for malware and protect your PC against spyware, here are a few helpful suggestions:

  1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft . This will patch many of the security holes through which attackers can gain access to your computer . You CANNOT complete this update using an alternate browser – you must use Internet Explorer.
    http://v5.windowsupdate.microsoft.com/v5co...t.aspx?ln=en-us
    http://www.microsoft.com/windows/ie/default.asp

  2. Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching, there are a some good free Antivirus programs that are decent, including AVG and Avast!.
    AVG: http://free.grisoft.com/doc/1
    Avast: http://www.avast.com/eng/avast_4_home.html

  3. In addition to using Ad-aware consider using another free malware scanning/removal program :
    Adaware SE: http://www.download.com/Ad-Aware-SE-Person...ubj=dl&tag=top5
    Spybot S&D: http://www.download.com/Spybot-Search-Dest...tml?tag=lst-0-1
    MS Antispyware beta: http://www.microsoft.com/athome/security/s...re/default.mspx

  4. Consider using a free firewall if you are not already using one. Some good free ones are:
    Sygate: http://smb.sygate.com/products/spf_standard.htm
    Zone Alarm: http://www.zonelabs.com/store/content/comp...n.jsp?lid=ho_za

    It is not a bad idea to also consider using a Router/Hardware firewall device where you have a high-speed Internet access connection. A software firewall may occasionally need to be disabled or it gets/remains disabled by someone or something. Such an added layer of security consistency has a lot of merit to it.

  5. Consider using an alternate free browser for general web surfing but you must use IE for windows updates.
    Mozilla Firefox: http://www.mozilla.org/products/firefox/

  6. Consider increasing your browser security by using these programs:
    SpywareGuard will help protect your homepage from being hijacked: http://www.javacoolsoftware.com/spywareguard.html
    SpywareBlaster will increase browser protection by blocking access to thousands of known malware sites by adding them to IE's restricted sites zone. It essentially blocks known- bad ActiveX program items from being installed or running on your computer. Download it here: http://www.javacoolsoftware.com/spywareblaster.html

  7. A HOSTS file can block Internet access to thousands of known-bad sites by not allowing you any easy browser access to such sites knowingly or unknowingly. Use HJT to determine if a current HOSTS file exists and any contents therein:
    • Run the HiJackThis tool and select ‘Open the Misc Tools section’.
    • Next select ‘Open host file manager’ button.
    • Use the ‘Open in Notepad’ button in XP/W2K or use WORDPAD if necessary [type wordpad.exe in the RUN box (Start>Run)] and load the FILE PATH identified in HJT.
    • Go to http://www.mvps.org/winhelp2002/hosts.txt . # Read the initial instructions #. Copy and paste (append or replace) the RELEVANT host address entry contents of that file into Notepad or Wordpad and save the updated file contents.

      #start of lines added by WinHelp2002
      # [Misc A - Z]
      127.0.0.1 phpadsnew.abac.com
      127.0.0.1 a.abnad.net
      127.0.0.1 e.abnad.net
      127.0.0.1 http://www.accoona.com #[Adware-Accoona][Adware.Atoolb][Panda.Accoona]
      .
      .
      .
      #end of lines added by WinHelp2002




*Remember just like your primary anti-virus software, it is important to:
  • Keep all of these programs up-to-date, and
  • Use them on a regular basis.
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada

Unread postby NonSuch » December 15th, 2005, 1:50 am

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 496 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware